You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/02/01 01:28:25 UTC
DO NOT REPLY [Bug 48647] New: RemoteIpFilter : request.secure and
request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http
https://issues.apache.org/bugzilla/show_bug.cgi?id=48647
Summary: RemoteIpFilter : request.secure and request.scheme are
not forced to "false" and "http" if
X-Forwarded-Proto=http
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Mac OS X 10.4
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: cyrille.leclerc@pobox.com
Created an attachment (id=24913)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24913)
Fixed Tomcat 7 patch with updated docs
When X-Forwarded-Proto="http", the incoming request attributes secure, scheme
and serverPort are not overridden as they are with "https".
If a request came as unsecured/http but the communication between apache and
tomcat is ssl, then request.isSecure(), request.getScheme() and
request.getServerPort() are wrong.
Proposed patch :
* introduce a httpServerPort configuration parameter
* modify logic for request.isSecure(), request.getScheme() , and
request.getServerPort() :
** if header "x-forwarded-proto" is null then keep incoming values
** else if header "x-forwarded-proto" is equal to "https" then override values
to true, https and 443
** else override values to false, http and 80
Note :
* "x-forwarded-proto", 80, 443 and "https" (as the ssl value for
x-forwarded-proto header) are configurable ; I use sample values in the bug
description to make it easier to understand.
* I will soon provide the same fix for RemoteIpValve.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48647] RemoteIpFilter : request.secure and
request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48647
Cyrille Le Clerc <cy...@pobox.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24913|Fixed Tomcat 7 patch with |Tomcat 7 patch with updated
description|updated docs |docs
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48647] RemoteIpFilter : request.secure and
request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48647
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-02-02 05:26:08 GMT ---
The patch has been applied to trunk. Many thanks.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org